All of us have heard about SpyEye, a malware family comprising information/data stealers like ZeuS/ZBOT. This malware is sometimes known as a “ZeuS killer,” as it stops ZeuS malware from running on affected systems, assuming that the latter is already present. This topic was discussed before in the blog post, “Keeping an Eye on the EYEBOT and a Possible Bot War.”

We were able to further investigate a command-and-control (C&C) server of a SpyEye botnet, most of whose zombies were located in Poland. This is somewhat unusual, as bot herders prefer to target Western countries like the United States, the United Kingdom, Germany, Italy, Spain, and France.

We were able to access different Control Panel tabs on this SpyEye server and saw some interesting bits of information such as its number of bots and their locations:

A statistical breakdown of the bots by OS, Internet Explorer version, and whether they run as administrators or not was also found:

We also came across botnet configuration and stolen data details:

After digging through all the data, we found that several credentials have been stolen. These credentials come from banks, social networking sites, and career/job-hunting sites. The server was not particularly secure. In fact, the bot herder who used this particular server left several open folders as well as readable configuration files. We also gathered 400MB of stolen data from this particular C&C server.

After having infected users with SpyEye malware, the bot master is now pushing a new TDSS variant detected as TROJ_TDSS.VAD. This links SpyEye to one of the major families that we know to be part of the pay-per-install (PPI) business:

We will continue to monitor this particular C&C server, as well as the Spyeye botnet as a whole. Further developments may be posted here at the Malware Blog.

Share this article

This entry was posted
on
Wednesday, September 8th, 2010
at
1:59 am and is filed under
Bad Sites, Botnets .
Both comments and pings are currently closed.